Posted by Christiaan Model – Group Product Supervisor
In 2019 we launched a FIDO2 API, adopted by many main builders, which permits customers to generate an attested, device-bound FIDO2 credential on Android units.
Since this launch, Android has generated an attestation assertion primarily based on the SafetyNet API. Because the underlying SafetyNet API is being deprecated, the FIDO2 API should transfer to a brand new attestation scheme primarily based on hardware-backed key attestation. This modification would require motion from builders utilizing the FIDO2 API to make sure a easy transition.
The FIDO2 API is carefully associated to, however distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. Whereas our purpose is over time to migrate builders to the passkey API, we perceive that not all builders who’re at present utilizing the FIDO2 API are prepared for that transfer and we proceed engaged on methods to converge these two APIs.
We’ll replace the FIDO2 API on Android to supply attestation statements primarily based on hardware-backed key attestation. As of November 2024, builders can decide in to this attestation scheme with controls for particular person requests. This must be helpful for testing and incremental rollouts, whereas additionally permitting builders full management over the timing of the change over the following 6 months.
We’ll start returning hardware-backed key attestation by default for all builders in early April 2025. From that time, SafetyNet certificates will not be granted. It is very important implement help for the brand new attestation assertion, or transfer to the passkey API earlier than the cutover date, in any other case your functions may not be capable of parse the brand new attestation statements.
For internet apps, requesting hardware-backed key attestation requires Chrome 130 or larger to enroll within the WebAuthn attestationFormats origin trial. (Study extra about origin trials.) As soon as these situations are met, you’ll be able to specify the attestationFormats parameter in your navigator.credentials.create name with the worth [“android-key”].
Should you’re utilizing the FIDO2 Play Companies API in an Android app, switching to hardware-backed key attestation requires Play Companies model 22.0.0 on the gadget. Builders can then specify android-key because the attestation format within the PublicKeyCredentialCreationOptions. It’s essential to replace your Play Companies dependencies to see this new possibility.
We’ll proceed to evolve FIDO APIs. Please proceed to supply suggestions utilizing fido-dev@fidoalliance.org to attach with the workforce and developer group.